Thanks for all the hints, finally I got it working with LDAP authentication.
For now, I'm happy with that although indeed seems a bit slow...
For future references here is my config (although is staright forward and it can
be found on many web resources)
<Location /svn/repos>
# Enable Subversion
DAV svn
SVNPath /mnt/data/rep/svn
# LDAP Authentication & Authorization is final; do not check
other databases
AuthLDAPAuthoritative on
# Do basic password authentication in the clear
AuthType Basic
# The name of the protected area or "realm"
AuthName "domain authentication"
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN "CN=someuser,CN=Users,DC=your,DC=domain"
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword xxxx
# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below
the basedn
# and validate against the sAMAccountName attribute
AuthLDAPURL
"ldap://pdc:389/DC=your,DC=domain?sAMAccountName?sub?(objectClass=*)"
# Require authentication for this Location
Require valid-user
</Location>
Thomas
On 10/21/07, Krist van Besien <krist.vanbesien@xxxxxxxxx> wrote:
> On 10/21/07, Joshua Slive <joshua@xxxxxxxx> wrote:
> > On 10/20/07, Thomas Fazekas <thomas.fazekas@xxxxxxxxx> wrote:
> > > In coclusion, svn with NTLM authentication doesn't work...
> > > My problem is that I can't see any other solution how to bring together
> > > a linux based apache/svn with our NT4 based domain :(
> > >
> > > For the time being I'm just gonna go with win based NT server, it
> > > is dissapointing though that I didn't get any reply from the svn mailing list...
> >
> > If all you need is to share the user/password database, then the
> > standard solution is use ldap access to the NT domain info. I've never
> > done it myself, but I believe lots of people have success with this.
>
> I've set up an apache/svn server that authenticates against an AD
> server, but I didn't use the standard way with mod_auth_ldap.
>
> The problems with using mod_auth_ldap are:
> - AD normally does not allow anonymous binds, so you need a BindDN for
> your apache server. An other problem was our security policy, that
> requires passwords to be changed every month.
> - Subversion over http is not very efficient. A lot of seperate
> requests are generated for each subversion action. Basically
> subversion uses dozens of "PROPFIND" requests to figure out the
> properties of a file, and each of these requests gets authenticated.
> As LDAP binds aren't very fast our SVN server wasn't excrutciatingly
> slow when using ldap authentication.
> My solution was to use mod_perl (which I allready use for webserver
> configuration) and extend the authentication mechanism using perl
> modules.
>
> One of the interesting feature of perl authentication handlers is that
> you can stack them. This allows you to cache authentication requests,
> and this speeds up the server massively.
>
>
> To explain this, let me just show you haw it looks in my config file:
>
> AuthType Basic
> AuthName "SVNServer"
> PerlAuthenHandler Apache2::AuthenDBMCache Apache2::AuthenMSAD
>
> PerlSetVar MSADDomain ads.foo.com
> PerlSetVar MSADServer dc.ads.foo.com
>
> require valid-user
> require user joe mary tom
>
> For this to work you need to have an apache server configured for
> mod_perl, and the Apache2::AuthenDBMCache and Apache2::AuthenMSAD
> modules. You can find these on CPAN.
>
> The Apache2::AuthenMSAD uses a feature of MS Active Directory: You can
> bind with a DN of <user>@<domain>. With this you can set up AD
> authentication for your apache server without needing an BindDN for
> your apache server itself.
> The Apache2::AuthenDBMCache modules caches the authentication info, so
> that not every request requires a connection with the AD server. This
> has made my SVN server a lot faster.
>
> This works for me. More info about these modules can be found in CPAN.
>
> Krist
>
>
>
> --
> krist.vanbesien@xxxxxxxxx
> krist@xxxxxxxxxxxxx
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|